Skillset

In this article, we will see how to configure DNS doctoring on the Cisco ASA. We will start by looking at the problem that DNS doctoring solves and then see how it solves this problem.

Consider the diagram below:

The web server (webserver.example.com) located in the DMZ should be accessible from both the inside (i.e., the LAN) and the outside (i.e., the Internet). For the public access to the web server, static NAT has been configured on the ASA to translate the real IP address (172.16.1.100) to a mapped IP address of 192.0.2.5.

Now, there are two possible scenarios that can occur in such a network as this:

If the DNS server is configured to resolve the FQDN webserver.example.com to the real IP address of 172.16.1.100, then LAN clients will be able to access the web server but remote clients will not, because the real IP address is not routable on the Internet.

If the DNS server is configured to resolve the FQDN webserver.example.com to the mapped IP address of 192.0.2.5, then that server will only be accessible by remote clients and not from the LAN.

Let’s examine these problems using a GNS3 lab. My web server is just a router with the HTTP server turned on. The DNS server is also a router configured to answer DNS requests. The configuration on the ASA is as follows:

In the configuration above, I have allowed DNS requests from any IP address on the outside to the DNS server. IP addresses from the outside are allowed to open HTTP connections to the web server and also ping the web server (for testing purposes). Finally, I have enabled ICMP inspection on the ASA (not shown in the configuration above) using the modular policy framework.

The current DNS configuration on the DNS server is as follows:

ip host webserver.example.com 172.16.1.100

A ping from the LAN client (PC1) goes through, as shown below:

Hint: I’m using VPCS for my PCs. To configure the DNS server on a VPCS, use the command ip dns <ip_address>.

However, if we try to ping from the remote client (PC2), even though the FQDN is resolved successfully, the ping will not go through because it resolves to the real IP address of the web server:

Note: Remember to use the mapped IP address of the DNS server (192.0.2.3) as the DNS server on the remote client.

If you enable logging on the Cisco ASA while pinging from the remote client, you will see the following error:

Let’s simulate the other scenario, where the DNS server is configured to return the mapped IP address of 192.0.2.5. In this case, the remote client will be able to ping the web server but the LAN client will not.

The configuration change on the router acting as the DNS server will be as follows:

The logs on the ASA will show that the ASA tries to build a connection to the outside IP address of 192.0.2.5 and since the web server is on the DMZ interface, that connection will never be successful and will eventually time out:

One of the ways we can resolve this issue is by enabling DNS doctoring on the Cisco ASA. Let’s assume that the DNS server is configured with the real IP address of the web server; with DNS doctoring enabled; when a remote client makes a DNS request and the ASA sees the response, it will change the real IP address in the DNS response to the mapped IP address.

On the other hand, if the DNS server is located on the outside and is configured with the mapped IP address of the web server, when a LAN client makes a DNS request to that DNS server and the server responds, the ASA will change the mapped IP address in the response to the real IP address of the web server so that the LAN client can access it locally.

Note: DNS inspection must be enabled on the Cisco ASA (in the MPF configuration) for DNS doctoring to work. DNS inspection is enabled in the default MPF configuration on the ASA.

To enable DNS doctoring, we just need to add the “dns” keyword to our static NAT configuration for the web server. Therefore, our configuration on the ASA will be:

object network WEB_SRVR_REAL
nat (dmz,outside) static 192.0.2.5 dns

Of course for DNS doctoring to work, the ASA must be in the path of the DNS response. Therefore, let’s change the configuration on the DNS server to point back to the real IP address and then test to see if the remote client can also connect successfully.

Now I will ping from both clients and you will see our configuration in effect:

You can also test that DNS doctoring works by moving the DNS server to the outside and configuring that server with the mapped IP address of the web server. If the LAN client queries that DNS server for the IP address of the web server, then the ASA will change the IP address in the response to the real IP address of the web server.

Summary

In this article, we have seen the problem that can occur when the same DNS server is serving both inside and outside users. We have enabled DNS doctoring on the Cisco ASA to resolve this issue.

Adeolu Owokade is a technology lover who has always been intrigued by Security. He has multiple years of experience in the design, implementation and support of network and security technologies. He's a CCIE (Security) with a new found love in writing.

About Intense

Intense School has been providing accelerated IT training and certification for over 12 years to more than 45,000 IT and Information Security professionals worldwide. Come see why we have the highest pass rates in the industry!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

How will you fund your training?

Why Take This Training?

What is your timeline for training?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam